Giulia Traverso

Dynamic and Verifiable Hierarchical Secret Sharing

In this work we provide a framework for dynamic secret sharing and present the first dynamic and verifiable hierarchical secret sharing scheme based on Birkhoff interpolation. Since the scheme is dynamic it allows, without reconstructing the message distributed, to add and remove shareholders, to renew shares, and to modify the conditions for accessing the message. Furthermore, each shareholder can verify its share received during these algorithms protecting itself against malicious dealers and shareholders. While these algorithms were already available for classical Lagrange interpolation based secret sharing, corresponding techniques for Birkhoff interpolation based schemes were missing. Note that Birkhoff interpolation is currently the only technique available that allows to construct hierarchical secret sharing schemes that are efficient and allow to provide shares of equal size for all shareholder in the hierarchy. Thus, our scheme is an important contribution to hierarchical secret sharing.

AS 3 : Adaptive social secret sharing for distributed storage systems

Distributed storage allows to outsource a document to the cloud such that multiple users can easily access the file. The protection of the document stored relies on secret sharing, which generates and distributes shares of the document to the storage servers. However, the users have to trust that a certain amount of storage servers behaves honestly and do not lose (retrievability) or reveal (confidentiality) the document. To address this so called social secret sharing schemes were developed that allow to adjust the distribution of shares according to the experience made with the involved storage servers. In this work, we provide a framework called AS3 that allows to build social secret sharing schemes based on dynamic secret sharing. The resulting protocol has more freedom in adjusting the parameters of the shares distribution and therefore leads to more efficient and accurate solutions as well as an optimal storage consumption. Furthermore, we provide measures to detect and to prevent that the document is lost or accidentally revealed to individual storage servers. We also demonstrate how to compute trust values for storage servers, how to initialize trust values for newcomers, and provide a proof of concept implementation.

Efficient and Privacy Preserving Third Party Auditing for a Distributed Storage System

When using distributed storage systems to outsource data storage into the cloud, it is often vital that this is done in a privacy preserving way, i.e., without the storage servers learning anything about the stored data. Especially when storing critical data, one often further requires efficient means to check whether the data is actually stored correctly on these servers. In the best case, such an auditing could itself be outsourced to a third party which does not need to be trusted by the data owner. That is, also the auditing mechanism should guarantee privacy, even if the auditor collaborates with a (sub) set of the storage servers. However, so far only a small number of privacy preserving third party auditing mechanisms has been presented for single server storage solutions, and no such protocols exist at all for a distributed storage setting. In this paper, we therefore define and instantiate a privacy preserving auditable distributed storage system. Our instantiation can be based on any homomorphic secret sharing scheme, and is fully keyless, efficient, and information-theoretically private. Furthermore, it supports batch audits, and is backward compatible with existing secret sharing based storage solutions.

Homomorphic Signature Schemes

In this chapter two types of signature schemes satisfying homomorphic properties are presented. In the first section a description of the homomorphic signature schemes suitable in the single-user scenario is provided. In the second section the homomorphic signature schemes that support the multi-user case are presented.

Performing Computations on Hierarchically Shared Secrets

Hierarchical secret sharing schemes distribute a message to a set of shareholders with different reconstruction capabilities. In distributed storage systems, this is an important property because it allows to grant more reconstruction capability to better performing storage servers and vice versa. In particular, Tassa’s conjunctive and disjunctive hierarchical secret sharing schemes are based on Birkhoff interpolation and perform equally well as Shamir’s threshold secret sharing scheme. Thus, they are promising candidates for distributed storage systems. A key requirement is the possibility to perform function evaluations over shared data. However, practical algorithms supporting this have not been provided yet with respect to hierarchical secret sharing schemes. Aiming at closing this gap, in this work, we show how additions and multiplications of shares can be practically computed using Tassa’s conjunctive and disjunctive hierarchical secret sharing schemes. Furthermore, we provide auditing procedures for operations on messages shared hierarchically, which allow to verify that functions on the shares have been performed correctly. We close this work with an evaluation of the correctness, security, and efficiency of the protocols we propose.

Evaluation of Homomorphic Signature Schemes

Together with security, there are many other properties that should be taken into account when evaluating a homomorphic signature scheme. In fact it might be important that a signature generated according to an admissible function is indistinguishable from the original ones. In other scenarios a post-quantum signature scheme is needed. In this case we have to make sure that the underlying hardness assumption is expected to face quantum computer attacks. Furthermore, there are situations where computation efficiency and shortness of the generated signatures are important features. In this chapter we discuss and define formally all the above features.

Suitable Homomorphic Signature Schemes for eVoting, Smart Grids, and eHealth

The signature schemes presented in Chap. 4 are discussed from an abstract and very general point of view. In this chapter the requirements a scheme needs to provide to be applied for a certain application will be highlighted. Specifically, in this section electronic voting, smart grids, and electronic health records are discussed. Each of the following sections is dedicated to one of them. After a brief description of the use case in question, the requirements for a homomorphic signature scheme are discussed, the state of the art is presented, and possible future work is highlighted.

State of the Art of Homomorphic Signature Schemes

In this chapter the state of the art with respect to homomorphic signature schemes is presented. Due to the large number and the different properties they satisfy, they are discussed in separate groups, according to the computations they support. The linearly homomorphic signature schemes are further divided with respect to the hardness assumption they rely on. Afterwards, the existing homomorphic signature schemes for polynomial functions and the fully homomorphic ones are described. Regarding the existing homomorphic signature schemes for the multi-users case, the linearly homomorphic aggregate signature schemes and the multiple sources linearly homomorphic signature schemes are presented separately. The investigated properties are the ones introduced in the previous section. For each scheme the underlying hardness assumption is specified, then we provide information about the efficiency of the schemes and their signature’s length. Afterwards, the general safety of the scheme is discussed: which adversary the signature can cope with and which level of privacy it achieves.

From Digital to Homomorphic Signature Schemes

A signature is a cryptographic primitive providing integrity and authenticity. Integrity means that the message signed has not been modified. Authenticity refers to the possibility of identifying its origin. In this chapter, first digital signature schemes are described and their security properties are discussed. Afterwards, the differences between those signature schemes and their homomorphic counterparts are highlighted and corresponding definitions are provided.